alert tcp any any -> $HOME_NET 445 (msg:"ET TROJAN Executable contained in DICOM Medical Image SMB File Transfer"; flow:established,to_server; flowbits:isset,ET.smb.binary; content:"SMB"; depth:8; content:"MZ"; distance:0; content:"DICM"; fast_pattern; distance:126; within:4; reference:url,https://github.com/d00rt/pedicom/; reference:url,labs.cylera.com/2019/04/16/pe-dicom-medical-malware/; classtype:trojan-activity; sid:2027402; rev:1; metadata:affected_product Windows_Client_Apps, attack_target Client_Endpoint, deployment Internal, signature_severity Major, created_at 2019_05_31, updated_at 2019_05_31;)

Added 2019-05-31 18:38:10 UTC


Topic revision: r1 - 2019-05-31 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats